[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Question to all candidates: GDPR compliance review



On Fri, Apr 05, 2024 at 04:38:57PM +0200, Andreas Tille wrote:
> Hi Adrian,

Hi Andreas,

> Am Fri, Apr 05, 2024 at 12:41:17AM +0300 schrieb Adrian Bunk:
>...
> > Many parts of Debians Privacy Policy look questionable.
> > 
> > For example the rights are not stated, and in addition to this being a 
> > formal problem there is also the question whether for example the Debian 
> > Data Protection team does fulfil the right to request only where 
> > required by law or whether all people around the world are treated
> > the same.
> 
> I need to admit I do not understand this example.

the Privacy Policy lacks explicit statements of the rights like
  You have the right to request a copy of all personal data.
that are legally required.

An explicit statement would also make it clear whether or not Debian 
might extend such rights to people not covered by the GDPR.

> > The attempts in the Privacy Policy for blanket eternal storage
> > of data might not pass a legal review, especially when this might
> > contain sensitive data like sexual orientation or political opinions.
> 
> I'm not aware that those personal data are stored.  If this is really
> the case you have a point.

During the RMS GR I was often thinking "assume RMS was living in the EU".

The archives of debian-vote contain plenty of sensitive data like
political opinions of RMS where it is questionable that they could
be stored forever if the GDPR applied.

And who in Debian would have been responsible of informing him that 
sensitive personal data about him is being stored by Debian that was 
provided by third parties?

>...
> > I would be glad to hear from a qualified person that I am wrong and that 
> > all handling of personal data by these teams is lawful.
> 
> If I understand you correctly you want to know my opinion whether Debian
> should pay some lawyer specialized in data privacy to inspect "all
> handling of personal data", right?

Yes.
 
> > There is also a personal side for me:
> > 
> > I am feeling quite unsafe in Debian due to not knowing what data people 
> > in positions of power in Debian who dislike me might have about me, and 
> > I want to request all data about me in Debian. This is also a prerequisite
> > for exercising the right of rectification of inaccurate personal data if 
> > any data turns out to be incorrect.
> 
> While I may be somewhat naive, I'm unaware of any positions within
> Debian that hold the power to harm others.  IMHO, the most troubling
> aspect is your feeling that there are individuals who dislike you. If
> you really feel unsafe about this situation IMHO the first step should
> be to talk to some individual you are trusting inside Debian.
>...

If I send an email requesting all data Debian has about me to 
data-protection@debian.org, will I receive a complete reply within the 
expected time, including all data members of delegations like the 
Debian Account Managers and the Community Team might have?

> Kind regards
>     Andreas.
>...

cu
Adrian


Reply to: